Privacy Policy

1. Introduction

Owlstone Medical Limited (referred to as “OML”, “We”, “Our” or “Us”) has, with the support of our clinical partners, customers and study participants, created a database/rich repository of breath-related Volatile Organic Compounds (VOC) and the context in which they have been found. This serves as a scientific research resource for both OML and authorised third-party researchers.

The Breath Biopsy VOC Atlas® (referred to as “Atlas”) is intended to help us achieve our mission to save lives and healthcare costs by using breath to detect illness earlier. We are also committed to sharing some Atlas data with the wider research community to maximise its impact, where we have the support of partners, customers and participants to do so. Data accessible to registered Atlas account holders will be either pseudonymised and aggregated or fully anonymised at all times (“Atlas Data”). Please see section 11 for information on your use of Atlas Data.

This privacy notice is designed to inform users of the Atlas website and researchers registered to access Atlas Data through this website (“you”, “your”), how your data will be collected, shared and used, and how to exercise the rights and choices that you have.

Information about how we collect and use data within Atlas can be found via OML’s privacy notice here.

This website is not intended for children or designed to collect data relating to children.

2. Data Controller

OML is the controller for the personal information we process as part of Atlas and this website.

We are registered with the Information Commissioner’s Office (the ICO) with registration number ZB023504.

We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and the ICO.

Our DPO is:

We have also appointed an EU Representative to act on our behalf for EU GDPR matters.

Our EU Representative is The DPO Centre Europe Ltd.

For further details on how you can contact us or our EU Representative, please see the contact us section below.

3. The information we collect and when

3.1 Collection

We only collect personal information that we know we will genuinely require and use in accordance with Data Protection Legislation. In most instances we collect personal information directly from you, for example from online forms, from your use of our website, if you have provided your information to us at an event, by email, from clicking on one of our ads or as part of a market research survey.

3.2 Information

The type of personal information that we will collect from you depends on the nature of the relationship that we have with you. We may collect the following:

• Identity Data:
  Name
• Contact Data:
  Business or institution name, email address, and correspondence history
• Online Data:
  We may process Cookies and IP addresses. Should we process this information you will be able to find more information in a separate Cookie Policy.
• Researcher Data:
  Your institution, department, job title, account access, login and user preference information, as well as anything linked to this information, such as complaints made against publications.
• Other Data:
  Information that we may collect that is not specifically listed here but that we will use in accordance with this privacy notice or as otherwise disclosed at the time of collection.

4. How we use your information

4.1 Lawful basis

We only process, store or transfer your personal information when we have a legal basis for doing so. The lawful bases we may rely on to process the information identified in this notice are as follows:

• Legitimate Interest: processing is necessary for the purposes of our legitimate interests (i.e., our business interests), except where such interests are overridden by your interests or fundamental rights and freedoms.
• Consent: where you have given consent to the processing of your personal data for one or more specific purposes. You may withdraw this consent at any time, either through the channel in which you provided your consent, or by getting in touch via the contact us section below.
• Legal obligation: processing is necessary for compliance with our legal obligations.
• Contractual Obligation: processing is necessary to deliver a contractual service to you or for us to do something at your request before entering into a contract with you.

4.2 Purpose

We will only process, store and use your data in a manner that is consistent with the following:

5. Who we might share your information with

We may share your personal data with trusted third-party organisations, subject to written agreements, as follows:

• With third party companies or individuals (data processors) to perform services on our behalf. This could include data storage and analytics companies; technology support and communication services (email, web hosting, marketing, and advertising providers, etc.).

  We only share your data with data processors that can provide sufficient guarantees that they will process your data securely and in accordance with Data Protection Legislation. Our data processors are not legally permitted to do anything with your personal information unless we have instructed them to do it. They have provided us with written agreements that they will not share your personal information with any organisation apart from us or further sub-processors which must process your personal to the same high standards.

• With professional advisors, such as lawyers, where necessary in the course of the professional services that they render to us.
• With government or law enforcement officials or private parties as required by law and disclose and use such information as we believe necessary or appropriate.

In some situations, we may have a separate agreement or relationship with you with respect to a specific type of processing of your data. These situations will be governed by specific terms, privacy notices, or consent forms that provide additional information about how we will use your information. We will honour these additional terms with respect to your information and thus, strongly recommend you review the additional terms prior to participating.

6. International transfers of information

There is no expectation for your data to be transferred outside of the UK or the EEA to countries not deemed by the ICO (and/or European Commission as relevant) to provide an adequate level of personal information protection.

Should this be required in the future, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the data protection legislation, such as the specific contracts approved by the ICO (or European Commission as relevant) providing adequate protection of personal information. This notice would be updated accordingly to reflect this.

7. Your rights over your information

You have a number of rights over how we manage your personal information. If you would like to exercise any of these rights, please contact our Data Privacy Team using the contact details in this notice. We may ask you for information to confirm your identity when responding to any such requests. We will typically respond to your requests within one month from the confirmation of your identity, unless we require additional time and are entitled to this under the relevant data protection legislation.

Under certain circumstances, by law you have the right to:

• 7.1 The right to be informed about our collection and use of personal data

  You have the right to be informed about the collection and use of your personal data. We ensure we do this through this and other privacy notices/information forms. These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

• 7.2 Right to access your personal information

  You have the right to access the personal information that we hold about you by making a request. This is referred to as a ‘Data Subject Access Request’.

• 7.3 Right to rectify your personal information

  If any of the personal information we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.

• 7.4 Right to object or restrict our processing of your data

  You have the right to object to us processing your personal information for particular purposes or have its processing restricted in certain circumstances.

• 7.5 Right to erasure

  You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

• 7.6 Right to portability

  The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.

• 7.7 Rights in relation to automated processing

  An automated decision is one that is made by systems rather than a person. Under Data Protection Legislation, you have the right to express your concerns and object to a decision taken by purely automated means. Such processing is not undertaken by OML for the purposes outlined in this notice.

• 7.8 For more information about your privacy rights

  The ICO regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here.

You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

8. How long we keep your information for

We will retain your personal information in order to provide you with a high-quality service, in accordance with Data Protection Legislation and for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means.

We will typically maintain your account information for the duration of your relationship with us and for 5 years after termination or inactivity.

9. How we keep you updated on our services

As identified in section 4.2 above, we may contact you for several purposes.

We may send you service messages that provide you with information that we legitimately have cause to send you as a user of our products and services or in order to help us improve our products and services (feedback requests, market research, etc.). Such messages will not contain promotional material.

We may separately send you information regarding our products and services where we believe such messages are relevant and will be of interest to you. In such instances, we will contact you if you have provided your consent for the processing or, if you are a business contact, where we have a legitimate interest to do so. Each email communication will have an option to object to the processing. If you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences or by calling us on the number displayed on our website.

10. Security

Data security is of great importance to us and to protect your data we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure your collected data.

We take security measures to protect your information including:

• Limiting access to our buildings to those that we have determined are entitled to be there (by use of passes, key card access and other related technologies).
• Implementing access controls to our information technology.
• We use appropriate procedures and technical security measures (including pseudonymisation, strict encryption and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.

11. Your use of Atlas Data

Currently, all Atlas Data accessible through your account will be aggregated or anonymised to an extent that you will not be able to link it to an individual. It is therefore not considered “personal data” and you do not have any additional data protection obligations save that you must not take steps to attempt to link any Atlas Data to an individual. Should this change in the future, you may have obligations as a data controller under Data Protection Legislation – this will be covered in out our Legal Notices and Terms of Use, which you can refer to for further information.

12. Changes to Our Privacy Notice

We keep this privacy notice under regular review. We recommend that you check this notice regularly to keep up to date.

13. How to contact us

If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this notice, the way your personal information is processed, please contact us by one of the following means:

• By email: privacy@owlstone.co.uk
• By post:
  
  Owlstone Medical Limited,
  183 Cambridge Science Park,
  Milton Road,
  Milton,
  Cambridge,
  CB4 0GJ
• By phone: 01223 428200

If you are based in Europe, you can contact our EU Representative, The DPO Centre Europe Ltd:

• By email: EuRep@owlstone.co.uk
• By post:
  
  The DPO Centre Ltd,
  Rue des Poissonniers 13,
  1000 Brussels,
  Belgium
• By phone: +32 2 786 19 61

Thank you for taking the time to read our privacy notice.

This notice was last updated August 2024